Elliptic curve versions exist for many cryptosystems, in particular those involving discrete logarithms. An advantage of elliptic curves compared to working with integers mod is the following. In the integers, it is possible to use the factorization of integers into primes (especially small primes) to attack the discrete logarithm problem. This is known as the index calculus and is described in Section 10.2. There seems to be no good analog of this method for elliptic curves. Therefore, it is possible to use smaller primes, or smaller finite fields, with elliptic curves and achieve a level of security comparable to that for much larger integers mod This allows great savings in hardware implementations, for example.
In the following, we describe three elliptic curve versions of classical algorithms. Here is a general procedure for changing a classical system based on discrete logarithms into one using elliptic curves:
Nonzero numbers mod | Points on an elliptic curve | |
Multiplication mod | Elliptic curve addition | |
1 (multiplicative identity) | (additive identity) | |
Division mod | Subtraction of points | |
Exponentiation: | Integer times a point: | |
number of points on the curve | ||
Fermat: | (Lagrange’s theorem) | |
Discrete log problem: | Elliptic curve discrete log problem: | |
Solve for | Solve for |
Notes:
The elliptic curve is an elliptic curve mod some prime, so the number of points on the curve, including is finite.
Addition and subtraction of points on an elliptic curve are of equivalent complexity (if then and is computed as ), but multiplication mod is much easier than division mod (via the extended Euclidean algorithm). Both mod operations are usually simpler than the elliptic curve operations.
The elliptic curve discrete log problem is believed to be harder than the mod discrete log problem.
If we fix a number and look at the set of all integers mod then the analogues of the above are: addition mod the additive identity 0, subtraction mod multiplying an integer times a number mod (that is, ), the number of integers mod the relation and the additive discrete log problem: Solve for which can be done easily via the Extended Euclidean algorithm. This shows that the difficulty of a discrete log problem depends on the binary operation.
We recall the non-elliptic curve version. Alice wants to send a message to Bob, so Bob chooses a large prime and an integer He also chooses a secret integer and computes Bob makes public and keeps secret. Alice chooses a random and computes and where
She sends to Bob, who then decrypts by calculating
Now we describe the elliptic curve version. Bob chooses an elliptic curve where is a large prime. He chooses a point on and a secret integer He computes
The points and are made public, while is kept secret. Alice expresses her message as a point on (see Section 21.5). She chooses a random integer computes
and sends the pair to Bob. Bob decrypts by calculating
A more workable version of this system is due to Menezes and Vanstone. It is described in [Stinson1, p. 189].
We must first generate a curve. Let’s use the prime the point and To make lie on the curve we take Alice has a message, represented as a point that she wishes to send to Bob. Here is how she does it.
Bob has chosen a secret random number and has published the point
Alice downloads this and chooses a random number She sends Bob and He first calculates He now subtracts this from
Note that we subtracted points by using the rule from Section 21.1.
For another example, see Example 47 in the Computer Appendices.
Alice and Bob want to exchange a key. In order to do so, they agree on a public basepoint on an elliptic curve Let’s choose and and This forces us to choose in order to have the point on the curve. Alice chooses randomly and Bob chooses randomly. Let’s suppose and They keep these private to themselves but publish and In our case, we have
Alice now takes and multiplies by to get the key:
Similarly, Bob takes and multiplies by to get the key:
Notice that they have the same key.
For another example, see Example 48 in the Computer Appendices.
There is an elliptic curve analog of the procedure described in Section 13.2. A few modifications are needed to account for the fact that we are working with both integers and points on an elliptic curve.
Alice wants to sign a message (which might actually be the hash of a long message). We assume is an integer. She fixes an elliptic curve where is a large prime, and a point on We assume that the number of points on has been calculated and assume (if not, choose a larger ). Alice also chooses a private integer and computes The prime the curve the integer and the points and are made public. To sign the message, Alice does the following:
Chooses a random integer with and and computes
Computes
Sends the signed message to Bob
Note that is a point on and and are integers.
Bob verifies the signature as follows:
Downloads Alice’s public information
Computes and
Declares the signature valid if
The verification procedure works because
There is a subtle point that should be mentioned. We have used in this verification equation as the integer mod satisfying Therefore, is not 1, but rather an integer congruent to 1 mod So for some integer It can be shown that Therefore,
This shows that and cancel each other in the verification equation, as we implicitly assumed above.
The classical ElGamal scheme and the present elliptic curve version are analogs of each other. The integers mod are replaced with the elliptic curve and the number becomes Note that the calculations in the classical scheme work with integers that are nonzero mod and there are such congruence classes. The elliptic curve version works with points on the elliptic curve that are multiples of and the number of such points is a divisor of
The use of the of in the elliptic version is somewhat arbitrary. Any method of assigning integers to points on the curve would work. Using the is an easy choice. Similarly, in the classical ElGamal scheme, the use of the integer in the mod equation for might seem a little unnatural, since was originally defined mod However, any method of assigning integers to the integers mod would work (see Exercise 16 in Chapter 13). The use of itself is an easy choice.
There is an elliptic curve version of the Digital Signature Algorithm that is similar to the preceding (Exercise 24).